PCI Compliance for MySQL & MariaDB with ClusterControl

This new whitepaper focuses on PCI-DSS requirements for a database back-end managed by ClusterControl and, more specifically, gives first-hand insight and recommendations on how to use ClusterControl to help make MySQL and MariaDB databases PCI compliant.

Table of contents

  • Introduction
  • Scope of the document
  • PCI Data Security Standard - The Requirements
    • Build and maintain a secure network and systems
      • Requirement 1
      • Requirement 2
    • Protect Cardholder Data
      • Requirement 3
      • Requirement 4
    • Maintain a vulnerability management programme
      • Requirement 5
      • Requirement 6
    • Implement Strong Access Control Measures
      • Requirement 7
      • Requirement 8
      • Requirement 9
    • Regularly monitor and test networks
      • Requirement 10
      • Requirement 11
    • Maintain an Information Security Policy
      • Requirement 12
      • Appendix A2
  • Onsite vs Cloud usage
  • Summing it up...
    • The future


The Payment Card Industry Data Security Standard (PCI-DSS) is a set of technical and operational requirements defined by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data – with requirements for software developers and manufacturers of applications and devices used in those transactions. PCI data that resides in a MySQL or MariaDB database must adhere to these requirements, and database administrators must follow best practices to ensure the data is secured and compliant.

Nowadays the security of payment cards transactions is ensured on several fronts: on the cardholder side, EMV cards are protecting in-person transactions with a secure chip, and 3D Secure is authenticating online purchases. PCI-DSS comes into play as soon as the transaction data leaves the cardholder and, through the merchant, is stored on back-end systems until being processed by the banks.

The combination of those technologies and methods makes transactions more secure (as long as they are properly implemented). The technologies used by the cardholder are, by design, the simplest to use: physical ownership and a PIN to protect the card and a 2nd factor authentication for 3D Secure.

Most of the difficulty ends up in the parts covered by PCI-DSS, which covers a long chain of processing entities, from the merchant itself to the card processor then to the banks exchanging the money electronically. To keep track of the transaction, the cardholder data will have to be processed and stored several times. The major card brands currently demand that all those actors act in compliance with PCI-DSS during all steps, under the threat of fines. That compliance is not just a one-time operation or an off-the-shelf product. The environment where it will apply will often be heterogeneous (made up of various networked systems). It first has to be precisely defined, so that the limit of the network is known, and then, every interconnected devices have to be set up according to the requirements. This will cover network devices such as switches and routers, up to workstations and servers.

Severalnines ClusterControl can help to cover several aspects of compliance. PCI-DSS itself is a rather pragmatic approach to securing payment card data. For the sensitive data (CVV, PIN, …), it is simple: they must never ever be stored. For other data, such as the card number or cardholder name, they can be kept as long as careful conditions are met. Such data is commonly stored into a database for processing, and that database must then be properly secured against intentional (or even unintentional) leakages, using techniques such as strong cryptography, access control and audit trails.

Want to read the rest?

Download the full whitepaper for free